Over the last year we have seen a dramatic rise in the number of data breaches being reporting to the ICO under the General Data Protection Regulation (GDPR). Since the GDPR took effect in May of 2018, it seems that awareness over cybersecurity issues and the obligations organizations have to report breaches has increased.
We can see that this increase is reflected in the statistics. The Irish Data Protection Commission (IDPC), for example, revealed that 4,470 breaches were brought to their attention in 2018. This represented a total increase of 70% on the number of breaches reported in 2017.
A Quick Summary of the GDPR
The GDPR took effect on the 25 May 2018 and was created to expand upon the out of date Data Protection Regulations that already existed. Its primary function was to tighten regulations regarding the collection, use and disclosure of personally identifiable information (PII) and other forms of personal data. The regulation was drafted to be tougher on organizations and give data subjects more rights and visibility as to how organizations use their data.
Why Has the Number of Reported Data Breaches Increased?
The key word here is “reported”.
One important aspect of the GDPR is that organizations are now under tighter regulations when it comes to reporting a data breach to the right authorities, victims and press in a timely manner. This is probably the main reason we are seeing such an increase in the number of reported breaches over the last 12 months.
Prior to the GDPR, there were only a handful of sectors who were under strict regulations to report a breach (such as the banking sector, for example). Voluntary reporting was, of course, seen as a best practice – but you can bet your life that the majority of organizations who experienced a breach looked to cover it up so that it didn’t affect their reputation or stock value.
How to Report a Breach of GDPR
Not every data breach you experience will need to be reported. If you experience a data breach that involved personal data (names, addresses, contact information etc.) then you will need to think about whether the breach poses a risk to those people who have had their data exposed. Does the breach increase the likeliness of someone’s credit card information being used fraudulently, for example? If so, then you will need to report the breach to the ICO.
To do this, you will need to call their breach helpline (which can be found on their website) and provide them with the following information:
- What happened
- How you found out about the breach and when
- Who has been affected by the breach
- What actions you are taking as a result of the breach
- Who their point of contact is for further information in the future
You can also report the breach online if you would prefer. You must report a personal data breach that poses risk within 72 hours of discovery. You must also make contact and inform the individuals affected by the breach. You must make sure that you have adequate GDPR breach detection solutions in place to help make sure if doesn’t happen again. Finally, you need to keep a record of the breach for future reference.